Dec 31 2009

Making the Grade

Most government IT managers probably wouldn't relish having to take their security report cards home. Here's a primer to keep your agency from flunking out on systems security.

Photo: Sean McCormick
Filling individual security gaps is important, but ensuring the security of an agency's IT enterprise takes precedence, HUD Chief Information Security Officer Patrick D. Howard says.

If agencies were high school students, many would be grounded. According to the most recent security report card issued by the House Government Reform Committee, half the agencies rated received a "D" or worse. Although some government systems chiefs dispute the accuracy and relevance of the ratings, most agencies' systems security executives realize they face a major problem that requires immediate remediation.

So what should agencies do? Here are five actions that security experts identify as fundamental best practices.

1 Determine areas of weakness. That was the first step at the Housing and Urban Development Department. "We have 5,000 weaknesses. We're working very hard to fix them," says Patrick D. Howard, HUD's chief information security officer. But Howard also notes that "this isn't something we can do without automation."

Howard and other federal security officers say that though there are fixes—often relatively simple ones—for individual security problems, the more serious challenge is protecting the enterprise as a whole, and that requires automated tools.

At HUD, the information security team is developing tools to ferret out and then rate the severity of weaknesses in the department's systems, Howard says. "Our first goal is to prioritize the issues we have to deal with."

Howard ranks vulnerabilities by evaluating the impact a potential breach would have and the probability of a breach's actual occurrence.

Generally, he finds that vulnerabilities fall into four chief categories: failure to implement current patches to software; failure to comply with established configuration standards such as password complexity; failure to use an application's auditing features; and failure to establish contingency plans.

2 Implement objective and consistent rating criteria. George A. Bonina, senior agency information security officer at the Environmental Protection Agency, accepts ultimate responsibility for departmental security problems, but he holds lower-level managers accountable for problems in their areas and monitors their security efforts.

"EPA has an overall security rating. But we also want to rate the individual agencies to see how they're doing," he says.

Bonina runs security scans for each of the 23 agencies under his purview. The resulting scorecard produces color-coded ratings: green, yellow or red. The ratings provide feedback in specific areas, so that a manager whose program earns a yellow or red rating, for instance, knows the exact problems to work on, he says.

For the EPA scorecards, Bonina reviews compliance with agency configuration standards, password management, encryption methods and access policies.

Before implementing the internal scanning process, Bonina had to depend on each EPA organization to self-report its security, which led to inflated rankings. No one ever, or hardly ever, gave themselves a red rating, he says. Bonina is quick to note that he's not accusing anyone in EPA of whitewashing problems. The real issue was a lack of overall standards and an enterprisewide evaluation tool, so organizations rated their compliance using multiple and varied standards, he says.

3 Take advantage of the National Institute of Standards and Technology's Common Criteria certification program. The Common Criteria, maintained by NIST and the National Security Agency, is an internationally accepted set of standards for rating the security features of IT products. At NIST-approved laboratories throughout the world, testing teams evaluate products against the security claims of their makers.

To see whether a product your agency is considering is compliant, go to For each certified product, the site includes the security target, essentially a recap of features that the vendor claims for its product.

Understanding the extent to which a product meets its security specification provides useful information to a systems developer or integrator, says Stuart Katzke, a senior research scientist at NIST.

But an agency needs to do more than just check whether a product is certified as compliant and lives up to its maker's claims, Katzke says. "Common Criteria evaluation should be only one part of an organization's strategy to secure its IT systems." Katzke points out that a complete strategy would also make sure that products are configured correctly: Require system-level security assessment and approval prior to a system coming online, and mandate regular recertifications and assessments throughout a system's life cycle.

"Things change. There are upgrades, patches, new products. You have to make sure the system still does what you expect of it," he says.

4 Segment and authenticate users and data. Monitoring compliance requires a unified strategy by an agency, but protecting systems is a matter of divide and conquer, says Andy Garcia, network engineer for Dataline, a technology and security systems integrator in Norfolk, Va. He advises clients to make extensive use of virtual local area networks to segment an agency's users from its data.

"Put users on one VLAN and data on other VLANs. That makes it easier to control access, even on an individual user basis," Garcia says.

A systems administrator can specify access privileges for individual users and nodes on these VLANs and even specify protocols—the time of day users can access certain files, for example. "You can be very granular in determining who or what can ride that VLAN," Garcia says. Additionally, VLANs make it easier to monitor traffic and create logs that gather information about access and attempted access. Such logs can prove highly useful when trying to trace suspected potential hacker activity.

The only downside to this approach is the potential for making mistakes that create new security holes that a smart hacker can penetrate. "Human error is much more likely when you begin making very granular access controls for your data," Garcia warns.

But merely segmenting the data is useless; an agency must also authenticate users before giving them access to its systems, Garcia adds. He advocates using strong, two-part authentication—meaning both a password and an additional control—for most systems. He acknowledges that many agencies have difficulty outfitting computers with card readers or biometric devices or purchasing Universal Serial Bus or one-time password tokens for all users.

Whatever the expense or inconvenience, "you have to protect the entry points or all your other efforts won't help you," Garcia says.

5 Don't rely on default settings. Alan Paller, director of research for the SANS Institute in Bethesda, Md., warns against using products out of the box. He points out that a software or hardware product will often provide a backdoor—such as a default password—so administrators can gain entry.

"You want to close that door and lock it up," Paller says. He suggests that agencies change all default settings and create standard custom configurations.

Creating secure systems is a constant challenge. But the adoption of governmentwide standards, as mandated by the Federal Information Security Management Act, along with the development of tools to ease the process of managing systems protection, offer powerful IT security weapons. The government's systems security officers will at least have a decent chance of prevailing in their battle against vulnerabilities.